Solved: Why is time chart with span of 1w always Thursday ...

mumblingsages · ‎08-11-2017

Title pretty much says it all. Every time I go to run a time chart with a span of 1 week it runs from Thursday to Thursday. Is there a specific reason for this? I have a work around for it in most situations (one exception right now being counts by event types), but my gosh its annoying.

Is there a setting somewhere to control this behavior?

woodcock · ‎08-11-2017

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

View solution in original post

woodcock · ‎08-11-2017

Try it again tomorrow!

woodcock · ‎08-11-2017

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

DalJeanis · ‎08-11-2017

TL:DR;

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

That's somewhat inconsistent, relative to the "@w" convention.

First, in a normal search, bin appears to use info_min_time to determine what day of the week is the first. That factor seems to affect even searches based on gentimes.

However, if you append something else, the bin for the something else is not necessarily the same, even if the _bin appears in the search after the various appends have occurred.

Second, because the first day in the universe (1/1/1970) was a Thursday, this formula will always become a Thursday. That appears to affect certain kinds of created data.

  | eval _time=604800*floor(_time/604800)

If you want a different day, then do this, where 4 is the number of days earlier in the week you want to move. Four days before Thursday is Sunday, so this will bin the weeks starting on Sunday.

 | eval _time = -4*86400+604800*floor((_time+4*86400)/604800)

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

... and here's a run-anywhere snippet that you can play with to check what works and what doesn't...

| gentimes start=05/31/16 end=8/1/16 
| eval _time =starttime
| eval time1=strftime(_time,"%Y-%m-%d %a")
| eval time2=strftime(relative_time(_time,"@w"),"%Y-%m-%d %a") 
| bin _time span=1w as time3
| eval time3=strftime(time3,"%Y-%m-%d %a")
| eval _time = -4*86400+604800*floor((_time+4*86400)/604800) 
| stats values(time1) as time1 values(time2) as time2 values(time3) as time3 count by _time 
| eval showtime=strftime(_time,"%Y-%m-%d %a")|

mumblingsages · ‎08-11-2017

Thanks both of you. I had been doing the eval relative time thing. But strangely enough , timechart with a span=1w@w0 is now giving me exactly what I wanted. I swear I've tried this before an it never worked but now is...

woodcock · ‎03-15-2019

OK, so come back here and either post your own answer or click Accept on an existing one to close the question. Maybe UpVote around, too.

Why is time chart with span of 1w always Thursday to Thursday?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes